Data Breaches Announced by MedRevenu & EyeCare Partners

Posted by Steve Alder

Data breaches have been confirmed by the revenue cycle management company MedRevenu Inland Physicians Hospitalist Services, and the Missouri-based eye care provider, EyeCare Partners.

MedRevenu Inland Physicians Hospitalist Services

MedRevenu Inland Physicians Hospitalist Services, a Montclair, CA-based vendor that provides revenue cycle management services to healthcare providers, has recently notified the California Attorney General about a cybersecurity incident. The incident occurred on or around December 12, 2024, and caused disruption to its network. The forensic investigation determined that files containing personal and protected health information may have been accessed or acquired in the incident, including names, dates of birth, Social Security numbers, driver’s license numbers/government identification numbers, health insurance information, medical information, financial account numbers, payment card numbers, and access information.

MedRevenu said it is reviewing and enhancing its cybersecurity measures and has offered the affected individuals complimentary single-bureau credit monitoring, credit report, and credit score services for 12 months. The BianLian threat group claimed responsibility for the attack and added MedRevenu to its dark web data leak site on December 14, 2024. Since data has been leaked, the affected individuals should ensure that they sign up for the credit monitoring services being offered and carefully check their account statements for data misuse, going back to December 2024. The incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

EyeCare Partners

EyeCare Partners, LLC, a St. Louis, MO-based nationwide provider of eye care services, has recently announced an email security incident that was first identified on January 28, 2025. Suspicious email activity was identified, and an investigation was launched, which confirmed that an unauthorized third-party had accessed multiple managed email accounts between December 3, 2024, and January 28, 2025.

It took until November 11, 2025, to review the compromised accounts, and notifications were issued to appropriate state attorneys general in February 2026. Data compromised in the incident includes names, contact information, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, health plan information, and limited clinical information.

EyeCare Partners said it has no reason to believe that any of the exposed information has been misused for identity theft or fraud; however, out of an abundance of caution, the affected individuals have been offered complimentary single-bureau credit monitoring, credit report, and credit score services for 24 months. EyeCare Partners said it has reviewed and enhanced its technical security measures and has provided further reminders to employees about how to recognize and avoid phishing attempts. The incident has been reported to the HHS’ Office for Civil Rights as affecting 17,110 individuals, including patients of The Ophthalmology Group, Ophthalmology Consultants, and Ophthalmology Associates.

The post Data Breaches Announced by MedRevenu & EyeCare Partners appeared first on The HIPAA Journal.

Pinehurst Radiology Associates & Tallahassee Memorial HealthCare Settle Class Action Data Breach Lawsuits

Posted by Steve Alder

Pinehurst Radiology Associates has agreed to settle a class action lawsuit over a January 2025 data breach, and Tallahassee Memorial HealthCare has agreed to settle class action litigation over its use of pixels on its website.

Pinehurst Radiology Associates Settlement

Pinehurst Radiology Associates, a medical diagnostic imaging center in Pinehurst, North Carolina, has agreed to settle a class action lawsuit over a January 2025 security incident that affected 8,682 individuals. Pinehurst Radiology Associates identified a cybersecurity incident on January 20, 2025, and determined that patients’ protected health information had been exposed. Data exposed in the incident included names, addresses, dates of birth, Social Security numbers, diagnoses, treatment information, medical record numbers, health insurance information, and Medicare/Medicaid numbers. The affected patients were notified on or around May 22, 2025.

Two class action lawsuits were filed in response to the data breach, which were consolidated in the Superior Court of Moore County, North Carolina – McNeill, et al. v. Pinehurst Radiology Associates, PLLC. The plaintiffs alleged that the data breach resulted from negligence because reasonable and appropriate cybersecurity measures had not been implemented. Pinehurst Radiology Associates denies all claims of wrongdoing, fault, and liability.

All parties explored the possibility of an early settlement, and an agreement on the material terms was reached on September 30, 2025. The final terms of the settlement have been negotiated, and it has received preliminary approval from the court. Pinehurst Radiology Associates has agreed to pay for CyEx Medical Shield Complete medical data monitoring services for 12 months for all class members, which include a $1 million identity theft insurance policy. Claims may also be submitted for reimbursement of documented, unreimbursed losses due to the data breach, up to a maximum of $500 per class member. Losses must have been incurred between January 20, 2025, and April 9, 2026. The deadline for opting out and objection is March 7, 2026. Claims must be submitted by April 9, 2026, and the final fairness hearing has been scheduled for April 6, 2026.

Tallahassee Memorial HealthCare Settlement

Tallahassee Memorial HealthCare has agreed to pay benefits to current and former patients whose personal and protected health information may have been disclosed to third parties, such as Meta Platforms and Google Inc., due to pixels and other tracking and analytics tools on the Tallahassee Memorial HealthCare website.

According to the lawsuit, these tools collected data relating to website use, which may have included personal and protected health information depending on the user’s interactions with the website. The lawsuit claims that these disclosures occurred for marketing and advertising purposes, without the knowledge or consent of website users. The lawsuit claims that the disclosures violated the Florida Security of Communications Act and the Electronic Communications Privacy Act. The lawsuit also asserted claims of invasion of privacy, breach of implied contract, unjust enrichment, and breach of confidence.

Tallahassee Memorial HealthCare denies all claims of wrongdoing and liability, and all material allegations in the lawsuit, but chose to settle the litigation to avoid the cost and uncertainty of a trial and related appeals. The plaintiffs believe all claims have merit but agreed that the settlement is fair and in the best interests of all class members. Under the terms of the settlement, class members can claim a 24-month membership to CyEx Financial Shield Complete, as well as a cash payment of $17. The final fairness hearing has been scheduled for March 2, 2026.

The post Pinehurst Radiology Associates & Tallahassee Memorial HealthCare Settle Class Action Data Breach Lawsuits appeared first on The HIPAA Journal.